ios9自签名证书和应用传输安全

时间:2015-12-17 06:18:58

标签: ssl nginx ios9 tls1.2 app-transport-security

我花了一段时间试图让这个工作。我有一个API,我正在尝试使用自签名证书切换到SSL。我可以控制服务器和应用程序。

我根据这个生成了一个自签名证书:

https://kyup.com/tutorials/create-ssl-certificate-nginx/

sudo openssl genrsa -des3 -out ssl.key 2048
sudo openssl req -new -key ssl.key -out ssl.csr
sudo cp ssl.key ssl.key.orig & sudo openssl rsa -in ssl.key.orig -out ssl.key
sudo openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt

我在服务器上尝试了一些配置选项(NGINX)

ssl on;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_protocols  SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;

在客户端,我尝试了一些与ATS不同的选择:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>test.example.com (NOT REALLY MY DOMAIN)</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>test.example.com (NOT REALLY MY DOMAIN)</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

根据不同的ATS选项,我会收到错误:

An SSL error has occurred and a secure connection to the server cannot be made.

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
The certificate for this server is invalid. You might be connecting to a server that is pretending to be “MYDOMAIN” which could put your confidential information at risk.

有什么想法吗?还有其他人在使用自签名证书吗?

P.S。我是OS X 10.11.2 Beta,Xcode 7.1.1

2 个答案:

答案 0 :(得分:3)

我想出了这个问题。它与App Transport Security无关。我必须确保iOS信任证书,因为它不是来自受信任的机构。

通过覆盖NSURLRequest.allowsAnyHTTPSCertificateForHost来实现这一目标的老派方法并不起作用。

由于我使用的是NSURLSession,你必须这样做:

- (id) init {
    self = [super init];
    NSURLSessionConfiguration * config = [NSURLSessionConfiguration defaultSessionConfiguration];
    self.session = [NSURLSession sessionWithConfiguration:config delegate:self delegateQueue:[NSOperationQueue mainQueue]];
    return self;
}

- (void) URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler {
    completionHandler(NSURLSessionAuthChallengeUseCredential,[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
}

答案 1 :(得分:2)

只需要将.cer添加到SecTrust

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$url = "http://extreme-ip-lookup.com/json/".$ip;

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,$url);
$info = curl_exec($curl);
curl_close($curl);

echo $info;
?>